Change in behavior of ssh session after IOS upgrade

Answered Question
Feb 23rd, 2010
User Badges:

I upgraded a series of 3560s and 4506s to version 12.2(53)SE and 12.2(53)SG1, respectively.  Before the upgrade, I would login to the switches using an SSH client.  I'd enter a user id and password for the initial connection and then if I wanted to get into enable mode, I had to enter a separate password.  Now, after the upgrade, on the 3560s, I am automatically placed into enable mode after entering the initial userid/password sequence.  There's no need to enter a separate enable password.  On the 4506s, the functionality is the same as before the upgrade.  Any ideas on what happened and how I might be able to get the 3560s back to the original behavior?

Correct Answer by Ganesh Hariharan about 7 years 3 months ago
I upgraded a series of 3560s and 4506s to version 12.2(53)SE and
12.2(53)SG1, respectively.  Before the upgrade, I would login to the
switches using an SSH client.  I'd enter a user id and password for the
initial connection and then if I wanted to get into enable mode, I had
to enter a separate password.  Now, after the upgrade, on the 3560s, I
am automatically placed into enable mode after entering the initial
userid/password sequence.  There's no need to enter a separate enable
password.  On the 4506s, the functionality is the same as before the
upgrade.  Any ideas on what happened and how I might be able to get the
3560s back to the original behavior?

Hi,


It can be problem with aaa configuration in your switches for enable mode authentication just check out the below sample configuration which will go for enable level password authentication also with TACAS server configured for authetication.


aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable


Hope to Help !!


If helpful do rate the post


Ganesh.H

Correct Answer by Giuseppe Larosa about 7 years 3 months ago

Hello Sdavids5670,

without seeing your configuration and may be the output of appropriate debug commands is difficult to say what has changed.


It should be more related to AAA commands rather then the use of SSH instead of telnet.


skip username and passwords, change your public ip addresses if any on devices and post the configuration.


probably a default AAA command was changed and it is causing this behavior.


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Giuseppe Larosa Mon, 03/01/2010 - 13:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sdavids5670,

without seeing your configuration and may be the output of appropriate debug commands is difficult to say what has changed.


It should be more related to AAA commands rather then the use of SSH instead of telnet.


skip username and passwords, change your public ip addresses if any on devices and post the configuration.


probably a default AAA command was changed and it is causing this behavior.


Hope to help

Giuseppe

Correct Answer
Ganesh Hariharan Mon, 03/01/2010 - 22:45
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I upgraded a series of 3560s and 4506s to version 12.2(53)SE and
12.2(53)SG1, respectively.  Before the upgrade, I would login to the
switches using an SSH client.  I'd enter a user id and password for the
initial connection and then if I wanted to get into enable mode, I had
to enter a separate password.  Now, after the upgrade, on the 3560s, I
am automatically placed into enable mode after entering the initial
userid/password sequence.  There's no need to enter a separate enable
password.  On the 4506s, the functionality is the same as before the
upgrade.  Any ideas on what happened and how I might be able to get the
3560s back to the original behavior?

Hi,


It can be problem with aaa configuration in your switches for enable mode authentication just check out the below sample configuration which will go for enable level password authentication also with TACAS server configured for authetication.


aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable


Hope to Help !!


If helpful do rate the post


Ganesh.H

sdavids5670 Wed, 03/03/2010 - 07:06
User Badges:

Thanks for the help.  There were two approaches to returning the behavior back to what it was before the upgrade.  I either a) needed to add 'aaa new-model' to the configuration or b) I needed to remove the 'password' command from the 'line vty' section.  Either one worked.

Actions

This Discussion